Logging and Monitoring

In This Section: Log Analysis Views and Reports To Learn More About Logging and Monitoring

Log Analysis

SmartConsole lets you transform log data into security intelligence. Search results are fast and immediately show the log records you need. The Security Gateways send logs to the Log Servers on the Security Management Server or on a dedicated server. Logs show on the SmartConsole Logs & Monitor Logs tab. You can:

• Quickly search through logs with simple Google-like searches.
• Select from many predefined search queries to find the applicable logs.
• Create your own queries using a powerful query language.
• Monitor logs from administrator activity and connections in real-time.

Configuring Logging

To configure logging from a Security Gateway to a Security Management Server or a Log Server:

1. Define one or more Log Servers (if necessary).
2. Enable logging on the Security Management Server and the Log Servers.
3. Configure the Security Gateways to send logs to the Log Servers.
4. Install the Policy.

To enable logging on a server:

1. In SmartConsole, go to Gateways & Servers and double-click the server object.

   The properties window opens.

2. Establish Secure Internal Communication between the Security Management Server and the Log Server. Make the certificate state: Trust Established.
3. In the Management tab, select Logging & Status.
4. From the navigation tree, click Logs.

   This shows the Security Gateways that forward logs to this machine.

5. Make sure that Enable Log Indexing is selected. It is enabled by default optimizes the log search time.
6. Click OK.

To configure a Security Gateway to send logs to log servers:

1. In SmartConsole, go to Gateways & Servers and double-click the gateway object.

   The gateway properties window opens.

2. From the navigation tree, click Logs.
3. In the Send gateway logs and alerts to server section, click the plus sign and select a server.

   Make sure that in the Type column, Send Logs and Alerts is selected.

4. Optional - In the In case one of the above log servers is unreachable, send logs to, add backup servers.

To complete the configuration:

1. Click Publish.
2. Click Install Policy.

Enabling Log Indexing

Log indexing on the Security Management Server or Log Server reduces the time it takes to run a query on the logs. Log indexing is enabled by default.

In a standalone deployment, log indexing is disabled by default. Enable log indexing only if the standalone computer CPU has 4 or more cores.

To manually enable Log Indexing:

1. Open SmartConsole.
2. From the Gateways & Servers view, double-click the Security Management Server or Domain Log Server object.

   The General Properties window opens.

3. In the Management tab, select Logging & Status.
4. From the navigation tree, click Logs.
5. Select Enable Log Indexing.
6. Click OK.
7. Click Publish.
8. From Menu, select Install Database.

Sample Log Analysis

This is a sample procedure that shows how to do an analysis of a log of a dropped connection.

To show a log of a dropped connection:

1. Log into SmartConsole.
2. Connect to the IP address of the Security Management Server, not to a Log Server.
3. In the Security Policies > Access Control > Policy view, select a rule with the Drop action.
4. In the bottom pane, click Logs.

   This shows the logs for connections that were dropped by the Rule Base.

5. Double-click a log.

   The Log Details window opens.

Tracking Options

Select these options in the Track column of a rule:

• None - Do not generate a log.
• Log - This is the default Track option. It shows all the information that the Security Gateway used to match the connection. At a minimum, this is the Source, Destination, Source Port, and Destination Port. If there is a match on a rule that specifies an application, a session log shows the application name (for example, Dropbox). If there is a match on a rule that specifies a Data Type, the session log shows information about the files, and the contents of the files.
• Accounting - Select this to update the log at 10 minute intervals, to show how much data has passed in the connection: Upload bytes, Download bytes, and browse time.

Note - When upgrading from R77.xx or from R80 to R80.10, there are changes to the names of the options in the Track column. To learn more see sk116580.

Advanced Track options

Detailed Log and Extended Log are only available if one or more of these Blades are enabled on the Layer: Applications & URL Filtering, Content Awareness, or Mobile Access.

• Detailed Log - Equivalent to the Log option, but also shows the application that matched the connections, even if the rule does not specify an application. Best Practice - Use for a cleanup rule (Any/Internet/Accept) of an Applications and URL Filtering Ordered Layer that was upgraded from an R77 Application Control Rule Base.
• Extended Log - Equivalent to the Detailed option, but also shows a full list of URLs and files in the connection or the session. The URLs and files show in the lower pane of the Logs view.

Log Generation

• per Connection - Select this to show a different log for each connection in the session. This is the default for rules in a Layer with only Firewall enabled. These are basic firewall logs.
• per Session - Select this to generate one log for all the connections in the same session. This is the default for rules in a Layer with Applications and URL Filtering or Content Awareness enabled. These are basic Application Control logs.

Alert:

For each alert option, you can define a script in Menu > Global Properties > Log and Alert > Alerts.

• None - Do not generate an alert.
• Alert - Generate a log and run a command, such as: Show a popup window, send an email alert or an SNMP trap alert, or run a user-defined script as defined in the Global Properties.
• SNMP - Send an SNMP alert to the SNMP GUI, or run the script defined in the Global Properties.
• Mail - Send an email to the administrator, or run the mail alert script defined in the Global Properties.
• User Defined Alert - Send one of three possible customized alerts. The alerts are defined by the scripts specified in the Global Properties.

Log Sessions

A session is a user's activity at a specified site or with a specified application. The session starts when a user connects to an application or to a site. The Security Gateway includes all the activity that the user does in the session in one session log.

To search for log sessions:

In the Logs tab of the Logs & Monitor view, search for type:Session

To see details of the log session:

In the Logs tab of the Logs & Monitor view, select a session log.

In the bottom pane of the Logs tab, click the tabs to see details of the session log:

• Connections - Shows all the connections in the session. These show if Per connection is selected in the Track option of the rule.
• URLs - Shows all the URLs in the session. These show if Extended Log is selected in the Track option of the rule.
• Files - Shows all the files uploaded or downloaded in the session. These show if Extended Log is selected in the Track option of the rule, or if a Data Type was matched on the connection.

To see the session log for a connection that is part of a session:

1. In the Logs tab of the Logs & Monitor view, double-click on the log record of a connection that is part of a session.
2. In the Log Details, click the session icon (in the top-right corner) to see the session log.

To configure the session timeout:

By default, after a session continues for three hours, the Security Gateway starts a new session log. You can change this in SmartConsole from the Manage & Settings view, in Blades > Application Control and URL Filtering > Advanced Settings > General > Connection unification.

For sessions that are blocked by the Access Control Policy, the Security Gateway starts a new session log after 30 seconds. A blocked session log include all the connections that are blocked in this period.